Skip to content
An AFF4 C++ implementation.
Branch: master
Clone or download
scudette Large refactor (#86)
* Large refactor of API

- Removed AFF4FactoryOpen and cache based resolving.
- Removed automatic class registry - it was too complicated and hard
  to track.
- API is now more typical c++ RAII based. It means callers need to be
  careful about the order of destruction but this is typical of C++.
Latest commit 1c463e8 Mar 18, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
aff4
docker OSX and linux pmem did not support raw output. (#85) Feb 23, 2019
docs Updated docs. (#10) Feb 8, 2018
m4
samples
tests
tools
.gitignore
.gitmodules Renamed src directory to aff4. (#13) Feb 12, 2018
AUTHORS Added documentation and comments. Jan 31, 2015
CHANGES
CONTRIBUTING
INSTALL
LICENSE Initial commit Jan 10, 2015
Makefile.am
NEWS
README.docker
README.linux
README.md
README.windows
autogen.sh AFF4 Standard v1.0 C/C++ support Apr 6, 2017
configure.ac Added lz4 support (#77) Feb 8, 2019
docker-compose.yml

README.md

AFF4 -The Advanced Forensics File Format

The Advanced Forensics File Format 4 (AFF4) is an open source format used for the storage of digital evidence and data.

The standard is currently maintained here: https://github.com/aff4/Standard

Reference Images are found: https://github.com/aff4/ReferenceImages

This project implementats a C/C++ library for creating, reading and manipulating AFF4 images. The project also includes the canonical aff4imager binary which provides a general purpose standalone imaging tool.

The library and binary are known to work on Linux (all versions since Ubuntu 10.04), Windows (All versions) and OSX (All known versions).

What is currently supported.

Currently this library supports most of the features described in the standard https://github.com/aff4/Standard.

  1. Reading and Writing ZipFile style volumes

    a. Supports splitting of output volumes into volume groups (e.g. splitting at 1GB volumes).

  2. Reading ahd Writing Directory style volumes.

  3. Reading and Writing AFF4 Image streams using the deflate or snappy compressor.

  4. Reading RDF metadata using Turtle.

  5. Multi-threaded imaging for efficient utilization on multi core systems.

What is not yet supported.

This implementation currently does not implement Section 6. Hashing of the standard. This includes verifying or generating linear or block hashes.

Copyright

Copyright 2015-2017 Google Inc. Copyright 2018-present Velocidex Innovations.

References

[1] "Extending the advanced forensic format to accommodate multiple data sources, logical evidence, arbitrary information and forensic workflow" M.I. Cohen, Simson Garfinkel and Bradley Schatz, digital investigation 6 (2009) S57–S68.

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.